Organizations are transitioning from on-premises systems to the cloud at a staggering rate. The cloud offers improved security, greater efficiency and cost savings; and for many businesses, it’s a critical transition to meet consumer demands and stay competitive in their space. Those businesses are likely storing their content — including their customers’ personal information — in the cloud.
Several recent high-profile data breaches at Yahoo, LinkedIn, and iCloud made headlines and left many decision-makers wondering, “Is my customers’ personal information really safe in the cloud?”
To answer that question, it’s important to understand how cloud security works and the roles played both by the the cloud service provider (CSP) and you — the customer.
There are two parties responsible for keeping information secure in the cloud:
- The organization — banks, hospitals, credit bureaus, email service providers, credit card companies, etc.
- The cloud service provider — although there are several major cloud service providers, we’ll use Amazon Web Services (AWS) as they are the largest, fastest-growing, and most fully-developed CSP.
In describing cloud security, AWS promotes their shared responsibility model. Simply put, AWS is responsible for the security OF the cloud; and AWS customers are responsible for security of their data IN the cloud.
Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, physical facilities and virtualization layer that run AWS Cloud services.
But how does AWS ensure its infrastructure is secure?
- Amazon attracts the world’s most talented engineers and has the money to pay for large security teams and the best security tools available. Highly skilled teams of IT professionals are tasked with monitoring, penetration testing, and updating infrastructure and security tools on a daily basis.
- Economies of scale allow AWS to spread security costs across a large number of customers in cloud data centers, and they are able to apply far more resources to physical, technical, and operational security measures than any single organization can. AWS also safeguards data security in cloud computing by operating multiple data centers around the world with data replicated across facilities.
AWS has over 67 services under ISO compliance and maintains certifications through frequent and extensive audits of its controls to ensure that information security risks that affect the confidentiality, integrity, and availability of company and customer information are appropriately managed.
A 2017 Gartner Report on cloud security revealed that public cloud implementations of infrastructure as a service, or IaaS, are hit with 60% fewer attacks than on-premises systems, which the report surmises is a result of attackers not wanting to target systems that are run with extreme attention paid to security tools and monitoring.
Security IN the Cloud
AWS customers are responsible for and in control of the security of their content (including customer information), platforms, systems, applications and networks in the cloud. How do they ensure the security of personal information?
AWS provides multiple data security services, such as encryption, security groups, multi-factor authentication capabilities, and network firewalls. Customers are responsible for deploying, configuring, and maintaining security baselines within their available services, but Amazon provides guidance, support and tools to help ensure you are securing your data properly.
Human error drives data breaches and was estimated to be responsible for up to 90% of all breaches in 2017. AWS customers have access to resources, services, and training to help avoid human errors that may compromise their data. Services like AWS CloudTrail to monitor API calls, and perform security analysis and compliance audits.
While AWS maintains compliance through ISO certifications, it’s the customer’s responsibility to comply with privacy and GDPR requirements for regulated industries, such as financial services, healthcare, and public services. Customers maintain ownership and control over their customer content and are responsible for determining where it will be stored, how it will be secured in transit or at rest and how to manage access to AWS services and resources.
While organizations are ultimately responsible for keeping their customers’ information secure, using a cloud partner like AWS gives them access to the most advanced security services available to help them protect personal information.
Your Responsibility to Your Customers
It’s also important to educate your customers on how to help safeguard their information and put processes in place guide them through it. PINs, fingerprint identification, two-factor authentication, and strong passwords are all methods of encryption you can offer your customers. It’s up to you to educate your customers in the protocols your organization uses to safeguard customer data.
Cloud storage is critical to our digital infrastructure and most security innovations are happening in the cloud and being designed for cloud-based solutions. Statistically, it’s much safer for personal information to be stored in the cloud than in an on-premises system. Is the cloud secure? Yes. Is your customers’ personal information secure in the cloud? That’s up to you.
Not an ACG for Business member yet?
We provide everything you need to level-up your team’s skills, establish a cloud culture, prepare your business for the future, and get the absolute most out of each and every license.